<!DOCTYPE html> <html><!--
 Archive processed by SingleFile 
 url: https://mp.weixin.qq.com/s/659bLI5TpFNABmnEyOSYLA 
 saved date: Thu Nov 21 2019 14:36:41 GMT+0800 (中国标准时间) 
--><meta charset=utf-8>
<meta http-equiv=X-UA-Compatible content="IE=edge">
<meta name=viewport content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=0,viewport-fit=cover">
<meta name=apple-mobile-web-app-capable content=yes>
<meta name=apple-mobile-web-app-status-bar-style content=black>
<meta name=format-detection content="telephone=no">
<meta name=description content=一篇很棒的文章，通俗易懂受益匪浅。>
<meta name=author content>
<meta property=og:title content=彻底理解cookie，session，token>
<meta property=og:url content="http://mp.weixin.qq.com/s?__biz=MzI3NjU2ODA5Mg==&amp;mid=2247484540&amp;idx=2&amp;sn=77b53d183e8d4c184adad95dee479830&amp;chksm=eb72c50fdc054c1923f927bd653bbb6f5a466153c6ffffef7fed2e78fdd5532817dedcc2a342#rd">
<meta property=og:image content="http://mmbiz.qpic.cn/mmbiz_jpg/M7B64fHXIStBdq1psdgIhwEiaMZ8yNwichNQezjgKKJn1oElffOtMcibcC48mW5QlteYQ32CFnpouSdq6ldVy9hSA/0?wx_fmt=jpeg">
<meta property=og:description content=一篇很棒的文章，通俗易懂受益匪浅。>
<meta property=og:site_name content=微信公众平台>
<meta property=og:type content=article>
<meta property=og:article:author content>
<meta property=twitter:card content=summary>
<meta property=twitter:image content="http://mmbiz.qpic.cn/mmbiz_jpg/M7B64fHXIStBdq1psdgIhwEiaMZ8yNwichNQezjgKKJn1oElffOtMcibcC48mW5QlteYQ32CFnpouSdq6ldVy9hSA/0?wx_fmt=jpeg">
<meta property=twitter:title content=彻底理解cookie，session，token>
<meta property=twitter:creator content>
<meta property=twitter:site content=微信公众平台>
<meta property=twitter:description content=一篇很棒的文章，通俗易懂受益匪浅。>
<title>彻底理解cookie，session，token</title>
<style media>.rich_media_inner{overflow-wrap:break-word;hyphens:auto}.rich_media_area_primary{padding:calc(20px + env(safe-area-inset-top)) calc(16px + env(safe-area-inset-right)) 12px calc(16px + env(safe-area-inset-left))}.rich_media_area_extra{padding:0 calc(16px + env(safe-area-inset-right)) calc(16px + env(safe-area-inset-bottom)) calc(16px + env(safe-area-inset-left))}html{line-height:1.6}body{color:#333;background-color:#f2f2f2;letter-spacing:.034em}h2{font-weight:400}*{margin:0;padding:0}a{-webkit-tap-highlight-color:rgba(0,0,0,0)}.rich_media_title{font-size:22px;line-height:1.4;margin-bottom:14px}@supports(-webkit-overflow-scrolling:touch){.rich_media_title{font-weight:700}}.rich_media_meta_list{margin-bottom:22px;line-height:20px;font-size:0;overflow-wrap:break-word;word-break:break-all}.rich_media_meta_list em{font-style:normal}.rich_media_meta{display:inline-block;vertical-align:middle;margin:0 10px 10px 0;font-size:15px;-webkit-tap-highlight-color:rgba(0,0,0,0)}.rich_media_meta_text{color:rgba(0,0,0,0.3)}.rich_media_meta_nickname{position:relative}.rich_media_content{overflow:hidden;color:#333;font-size:17px;overflow-wrap:break-word;hyphens:auto;text-align:justify;z-index:0}.rich_media_content *{max-width:100% !important;box-sizing:border-box !important;overflow-wrap:break-word !important}.rich_media_content p{clear:both;min-height:1em}.rich_media_content .list-paddingleft-2{padding-left:2.2em}@media screen and (min-width:1024px){.rich_media_area_primary_inner,.rich_media_area_extra_inner{max-width:677px;margin-left:auto;margin-right:auto}.rich_media_area_primary{padding-top:32px}}blockquote{padding-left:10px;border-left:3px solid #dbdbdb;color:rgba(0,0,0,0.5);font-size:15px;padding-top:4px;margin:1em 0}.appmsg_skin_default .rich_media_area_primary{background-color:#fff}.appmsg_style_default .rich_media_tool{padding-top:15px}.read-more__area{margin:30px 0}html,body{height:100%}</style>
<!--[if lt IE 9]>
<link rel="stylesheet" type="text/css" href="//res.wx.qq.com/mmbizwap/zh_CN/htmledition/style/page/appmsg_new/pc492bcc.css">
<![endif]-->
<style id=page/appmsg_new/not_in_mm.css>.weui-flex{display:flex}.weui-flex__item{-webkit-box-flex:1;flex:1 1 0%}html{text-size-adjust:100%}body{line-height:1.6;font-family:-apple-system-font,BlinkMacSystemFont,"Helvetica Neue","PingFang SC","Hiragino Sans GB","Microsoft YaHei UI","Microsoft YaHei",Arial,sans-serif;font-size:16px}body,h2,h3,h4,p,ul,ol{margin:0}a{color:#576b95;text-decoration:none}body,html{-webkit-appearance:none;-webkit-tap-highlight-color:rgba(0,0,0,0)}@media(orientation:portrait){@-webkit-keyframes opr_fade_out{0%{opacity:1}100%{opacity:0}}@-webkit-keyframes opr_fade_in{0%{opacity:0}100%{bottom:0;opacity:1}}}@-webkit-keyframes opr_fade_out{0%{opacity:1}100%{opacity:0}}@-webkit-keyframes opr_fade_in{0%{opacity:0}100%{opacity:1}}@-webkit-keyframes opacity-60-25-0-12{0%{opacity:.25}0.01%{opacity:.25}0.02%{opacity:1}60.01%{opacity:.25}100%{opacity:.25}}@-webkit-keyframes opacity-60-25-1-12{0%{opacity:.25}8.34333%{opacity:.25}8.35333%{opacity:1}68.3433%{opacity:.25}100%{opacity:.25}}@-webkit-keyframes opacity-60-25-2-12{0%{opacity:.25}16.6767%{opacity:.25}16.6867%{opacity:1}76.6767%{opacity:.25}100%{opacity:.25}}@-webkit-keyframes opacity-60-25-3-12{0%{opacity:.25}25.01%{opacity:.25}25.02%{opacity:1}85.01%{opacity:.25}100%{opacity:.25}}@-webkit-keyframes opacity-60-25-4-12{0%{opacity:.25}33.3433%{opacity:.25}33.3533%{opacity:1}93.3433%{opacity:.25}100%{opacity:.25}}@-webkit-keyframes opacity-60-25-5-12{0%{opacity:.270958}41.6767%{opacity:.25}41.6867%{opacity:1}1.67667%{opacity:.25}100%{opacity:.270958}}@-webkit-keyframes opacity-60-25-6-12{0%{opacity:.375125}50.01%{opacity:.25}50.02%{opacity:1}10.01%{opacity:.25}100%{opacity:.375125}}@-webkit-keyframes opacity-60-25-7-12{0%{opacity:.479292}58.3433%{opacity:.25}58.3533%{opacity:1}18.3433%{opacity:.25}100%{opacity:.479292}}@-webkit-keyframes opacity-60-25-8-12{0%{opacity:.583458}66.6767%{opacity:.25}66.6867%{opacity:1}26.6767%{opacity:.25}100%{opacity:.583458}}@-webkit-keyframes opacity-60-25-9-12{0%{opacity:.687625}75.01%{opacity:.25}75.02%{opacity:1}35.01%{opacity:.25}100%{opacity:.687625}}@-webkit-keyframes opacity-60-25-10-12{0%{opacity:.791792}83.3433%{opacity:.25}83.3533%{opacity:1}43.3433%{opacity:.25}100%{opacity:.791792}}@-webkit-keyframes opacity-60-25-11-12{0%{opacity:.895958}91.6767%{opacity:.25}91.6867%{opacity:1}51.6767%{opacity:.25}100%{opacity:.895958}}@-webkit-keyframes loading{0%{transform:rotate3d(0,0,1,0)}100%{transform:rotate3d(0,0,1,360deg)}}@keyframes loading{0%{transform:rotate3d(0,0,1,0)}100%{transform:rotate3d(0,0,1,360deg)}}.article_extend_area{padding:30px 0 0}.article_extend_area:empty{display:none}@supports(-webkit-overflow-scrolling:touch){.reward_button{font-weight:700}}.rich_media_extra{position:relative}.top_banner{background-color:#fff}.ct_mpda_wrp{margin:38px 0 20px}.article_modify_area_primary{margin-top:16px;text-align:left;font-size:15px}.like_btn{-webkit-appearance:none;-webkit-tap-highlight-color:rgba(0,0,0,0);outline:0;background-color:transparent;border:0;display:inline-block;vertical-align:middle;padding:0;font-size:15px;font-family:inherit;line-height:2.13333;color:#576b95}.like_btn::before{font-size:16px;content:"";display:inline-block;width:1em;height:1.125em;vertical-align:middle;margin-top:-0.25em;margin-right:.05em;background:url("data:image/svg+xml;charset=utf8, %3Csvg width='18' height='20' viewBox='0 0 18 20' xmlns='http://www.w3.org/2000/svg'%3E%3Cpath d='M5.485 3.785l2.506-2.477a1.674 1.674 0 0 1 2.352 0l2.505 2.477 3.423.908a1.653 1.653 0 0 1 1.18 2.026l-.917 3.382.918 3.384a1.652 1.652 0 0 1-1.18 2.024l-3.399.902-2.53 2.493a1.674 1.674 0 0 1-2.352 0l-2.506-2.477-3.423-.908a1.653 1.653 0 0 1-1.18-2.026l.917-3.383-.918-3.392a1.652 1.652 0 0 1 1.18-2.025l3.424-.908zm.836 1.447l.006 2.298c0 .59-.317 1.138-.828 1.438l-2.015 1.143 2.005 1.136c.517.29.838.841.838 1.435l-.006 2.298 2.01-1.156a1.667 1.667 0 0 1 1.675-.003l2.007 1.154-.007-2.302c0-.583.319-1.13.829-1.43l2.014-1.142-2.005-1.136a1.647 1.647 0 0 1-.838-1.435l.007-2.298-2.01 1.156a1.65 1.65 0 0 1-1.67.001L6.321 5.232zm-1.094 2.3L5.22 4.994l-2.878.763a.552.552 0 0 0-.398.674l.77 2.851 2.23-1.264a.573.573 0 0 0 .283-.486zm-.278 4.673L2.714 10.94l-.77 2.84a.553.553 0 0 0 .399.676l2.877.763.007-2.537a.548.548 0 0 0-.278-.476zm3.935 2.57l-2.216 1.274 2.096 2.073c.222.22.583.22.806 0l2.103-2.073-2.214-1.274a.57.57 0 0 0-.575 0zm4.222-2.104l.007 2.538 2.879-.763a.552.552 0 0 0 .398-.674l-.771-2.843-2.23 1.265a.57.57 0 0 0-.283.477zm.279-4.664l2.234 1.266.77-2.84a.553.553 0 0 0-.399-.676l-2.877-.763-.007 2.537c0 .196.107.38.279.476zm-4.501-2.57c.176.104.39.104.566 0l2.215-1.274L9.57 2.09a.574.574 0 0 0-.805 0L6.668 4.163l2.216 1.274z' fill='%23576B95' fill-rule='evenodd'/%3E%3C/svg%3E") 0 0 / 1em no-repeat transparent}.like_num{font-size:15px;margin-left:.2em}.like_comment_wrp{font-size:17px;margin-top:9px;margin-bottom:8px;position:relative;z-index:1}.like_comment_wrp::before,.like_comment_wrp::after{content:"";display:inline-block;width:0;height:0;border-width:0 7px 7px;border-style:dashed dashed solid;border-color:transparent transparent rgba(0,0,0,0.03);position:absolute;top:-7px;right:28px}.like_comment_wrp::after{border-bottom-color:#f7f7f7;top:-6px}.like_comment_inner{background-color:rgba(0,0,0,0.03);border-radius:4px;overflow:hidden;padding:24px 16px;display:flex;-webkit-box-align:center;align-items:center;text-align:center}.like_comment_primary_wrp{font-size:16px;margin-top:9px;margin-bottom:4px;background-color:#fff;z-index:21}.like_comment_primary_wrp::before,.like_comment_primary_wrp::after{content:"";display:inline-block;width:0;height:0;border-width:0 7px 7px;border-style:dashed dashed solid;border-color:transparent transparent #fff;position:absolute;top:-7px;right:28px}.like_comment_primary_wrp::after{border-bottom-color:#fff;top:-6px}.like_comment_primary_wrp.editing{position:fixed;top:10px;bottom:0;left:0;right:0;margin:0}.like_comment_primary_wrp.editing::before,.like_comment_primary_wrp.editing::after{display:none}.like_comment_primary_mask{position:fixed;z-index:20;top:0;left:0;bottom:0;right:0;background-color:rgba(0,0,0,0.2)}@-webkit-keyframes weuiLoading{0%{transform:rotate3d(0,0,1,0)}100%{transform:rotate3d(0,0,1,360deg)}}@keyframes weuiLoading{0%{transform:rotate3d(0,0,1,0)}100%{transform:rotate3d(0,0,1,360deg)}}@-webkit-keyframes slidein{0%{transform:translateX(-50%)}100%{transform:translateX(0)}}@keyframes slidein{0%{transform:translateX(-50%)}100%{transform:translateX(0)}}.mpda_bottom_container{position:relative}.rich_media_tool{overflow:hidden;line-height:32px}.rich_media_tool .meta_primary{float:left}.rich_media_tool .meta_extra{float:right}.rich_media_tool .meta_praise{text-align:right}.media_tool_meta i{vertical-align:0;position:relative;top:1px}.meta_praise{-webkit-tap-highlight-color:rgba(0,0,0,0);outline:0}.meta_praise .praise_num{display:inline-block;vertical-align:top}.meta_praise:hover{cursor:pointer}.icon_praise_gray{background:url("") 0 0 / 100% no-repeat transparent;display:inline-block}.rich_media_tool{font-size:15px}.rich_media_tool .meta_primary{margin-right:16px}.rich_media_tool .meta_extra{margin-left:16px;color:#576b95}.rich_media_tool .meta_praise{min-width:2.5em}.rich_media_tool .meta_praise i{margin-right:5px}.icon_praise_gray{background-image:url("data:image/svg+xml;charset=utf8, %3Csvg width='16' height='16' viewBox='0 0 16 16' xmlns='http://www.w3.org/2000/svg'%3E%3Cpath d='M2.5 6.988h-.003c-.095-.01-.167-.022-.125-.022H1.75c-.343 0-.75.39-.75.7v6.73c0 .31.27.57.611.57H2.5V7.01a.51.51 0 0 1 0-.022zm1 .003a.55.55 0 0 1 0 .02v7.955h7.414c.748 0 1.395-.361 1.773-1.324a37.17 37.17 0 0 0 1.115-2.57c.219-.564.413-1.11.575-1.627.247-.785.413-1.48.484-2.058.073-.595-.565-1.021-1.236-1.021h-4.97l.102-.586.18-1.027.13-.55a35.058 35.058 0 0 0 .245-1.128c.212-1.098-.483-2.019-1.238-2.067-.74-.048-1.1.111-1.104.562-.008 1.276-.45 2.805-1.252 4.129-.357.589-.899.965-1.56 1.16-.217.065-.438.107-.658.132zm6.345-1.625h3.78c1.19 0 2.393.804 2.229 2.143-.08.646-.26 1.397-.523 2.235-.17.54-.37 1.107-.597 1.69a38.158 38.158 0 0 1-1.133 2.61c-.525 1.346-1.557 1.922-2.687 1.922H1.61c-.886 0-1.611-.698-1.611-1.57v-6.73c0-.871.864-1.7 1.75-1.7l.719.009A3.285 3.285 0 0 0 3.876 5.9c.435-.13.769-.361.986-.72.71-1.171 1.102-2.525 1.108-3.618C5.978.338 6.901-.07 8.14.01c1.36.088 2.48 1.57 2.155 3.255a36.012 36.012 0 0 1-.253 1.167l-.124.52-.072.414z' fill='%23576B95' fill-rule='nonzero'/%3E%3C/svg%3E");font-size:16px;width:1em;height:1em;background-size:1em}.praise_num{color:#576b95}a,button{cursor:pointer}.rich_media_extra{overflow:hidden}.rich_media_extra_discuss{padding-top:0}.praise_num:empty{margin-left:-3px}.comment_primary_emotion_panel_wrp{position:absolute;z-index:1;padding-top:8px;padding-bottom:16px}.comment_primary_emotion_panel{background:#fff;box-shadow:rgba(0,0,0,0.16) 0 2px 8px 0;border-radius:4px;width:376px;height:216px;overflow-y:auto}.tips_global_primary{color:rgba(0,0,0,0.3)}.weui-dialog{position:fixed;z-index:5000;top:50%;left:16px;right:16px;transform:translate(0,-50%);background-color:#fff;text-align:center;border-radius:12px;overflow:hidden;display:flex;-webkit-box-orient:vertical;-webkit-box-direction:normal;flex-direction:column;max-height:90%}@media screen and (min-width:352px){.weui-dialog{width:320px;margin:0 auto}}.weui-toast{position:fixed;z-index:5000;width:120px;height:120px;top:40%;left:50%;transform:translate(-50%,-50%);background:rgba(17,17,17,0.7);text-align:center;border-radius:5px;color:#fff;display:flex;-webkit-box-orient:vertical;-webkit-box-direction:normal;flex-direction:column;-webkit-box-align:center;align-items:center;-webkit-box-pack:center;justify-content:center}.weui-mask{position:fixed;z-index:1000;top:0;right:0;left:0;bottom:0;background:rgba(0,0,0,0.6)}.weui-mask_transparent{position:fixed;z-index:1000;top:0;right:0;left:0;bottom:0}@-webkit-keyframes weuiLoading{0%{transform:rotate3d(0,0,1,0)}100%{transform:rotate3d(0,0,1,360deg)}}@keyframes weuiLoading{0%{transform:rotate3d(0,0,1,0)}100%{transform:rotate3d(0,0,1,360deg)}}@media screen and (max-width:1023px){.profile_container{display:none !important}}.weui-desktop-popover{white-space:normal;overflow-wrap:break-word;hyphens:auto;z-index:500;color:#353535;line-height:1.6;background:#fff;border-radius:2px}.weui-desktop-popover::before{content:" ";width:8px;height:8px;background-color:#fff;box-shadow:#d4d4d4 0 2px 10px 0;transform:matrix(0.71,0.71,-0.71,0.71,0,0);position:absolute}.weui-desktop-popover::after{content:" ";background-color:#fff;position:absolute}.weui-desktop-popover_img-text{text-align:center}.weui-desktop-popover_pos-up-center{margin-top:16px}.weui-desktop-popover_pos-up-left::before,.weui-desktop-popover_pos-up-center::before,.weui-desktop-popover_pos-up-right::before{top:-4px}.weui-desktop-popover_pos-up-left::after,.weui-desktop-popover_pos-up-center::after,.weui-desktop-popover_pos-up-right::after{height:10px;top:0;left:0;right:0}.weui-desktop-popover_pos-up-center::before,.weui-desktop-popover_pos-down-center::before{margin-left:-4px}.weui-desktop-popover{position:absolute;padding:14px;box-shadow:none;border:1px solid #d9dadc;width:182px;box-sizing:border-box}.weui-desktop-popover::before{box-shadow:none;border:1px solid #d9dadc}.not_in_mm .rich_media_meta_list{position:relative;z-index:1}.not_in_mm .rich_media_content{position:relative}.not_in_mm .profile_container{width:535px;position:absolute;top:100%;left:0;margin-top:10px;font-size:14px}.not_in_mm .profile_inner{position:relative;padding:30px 22px 36px 144px;background-color:#fff;border:1px solid #d9dadc}.not_in_mm .profile_arrow_wrp{position:absolute;left:22px;top:-8px}.not_in_mm .rich_media_inner{position:relative}.not_in_mm .qr_code_pc_outer{position:fixed;left:0;right:0;top:20px;color:#717375;text-align:center;display:none !important}.not_in_mm .qr_code_pc_inner{position:relative;width:740px;margin-left:auto;margin-right:auto}.not_in_mm .qr_code_pc{position:absolute;right:-140px;top:0;width:140px;padding:16px;border:1px solid #d9dadc;background-color:#fff;overflow-wrap:break-word;word-break:break-all}.not_in_mm .qr_code_pc p{font-size:14px;line-height:20px}.not_in_mm .qr_code_pc_img{width:102px;height:102px}@media screen and (min-width:1024px){.not_in_mm .qr_code_pc_outer{top:32px;display:block !important}}.not_in_mm .qr_code_pc{box-sizing:border-box}</style><link rel="shortcut icon" type=image/x-icon href=""></head>
 <body id=activity-detail class="zh_CN mm_appmsg appmsg_skin_default appmsg_style_default not_in_mm">
 
 
 
<div id=js_article class=rich_media>
 
 <div id=js_top_ad_area class=top_banner></div>
 
 <div class=rich_media_inner>
 
 
 <div id=page-content class=rich_media_area_primary>
 <div class=rich_media_area_primary_inner>
 
 
 
 <div id=img-content>
 
 <h2 class=rich_media_title id=activity-name>
 
 
 
 彻底理解cookie，session，token
 </h2>
 <div id=meta_content class=rich_media_meta_list>
 
 <span class="rich_media_meta rich_media_meta_nickname" id=profileBt>
 <a href=https://mp.weixin.qq.com/s/659bLI5TpFNABmnEyOSYLA id=js_name>
 Java架构师之路 </a>
 <div id=js_profile_qrcode class=profile_container style=display:none>
 <div class=profile_inner>
 
 
 
 
 
 </div>
 <span class=profile_arrow_wrp id=js_profile_arrow_wrp>
 
 
 </span>
 </div>
 </span>
 <em id=publish_time class="rich_media_meta rich_media_meta_text">5月23日</em>
 </div>
 
 
 
 
 
 
 
 
 
 
 
 
 
 <div class=rich_media_content id=js_content>
 
 
 
 
 <blockquote data-type=2 data-url data-author-name data-content-utf8-length=49 data-source-title><section><p><span style=color:#4f81bd;font-family:宋体,SimSun;font-size:12px;letter-spacing:.544px;white-space:pre-wrap;widows:1;text-align:justify>作者：墨颜&nbsp;</span><p><span style=color:#4f81bd;font-family:宋体,SimSun;font-size:12px;letter-spacing:.544px;white-space:pre-wrap;widows:1;text-align:justify>http://www.cnblogs.com/moyand/p/9047978.html</span></p></section></blockquote><p><br><section style=white-space:normal;border-width:0;border-style:initial;border-color:initial><section style="margin-right:auto;margin-bottom:10px;margin-left:auto;border-bottom:1px solid #dddddd"><section style="margin-bottom:-1px;padding-right:5px;padding-bottom:6px;padding-left:5px;clear:both;border-bottom:2px solid #ef7060;display:inline-block;line-height:1.1"><p style=color:#000000;font-size:15px><strong><span style=font-size:20px;font-family:宋体,SimSun>发展史</span></strong></p></section></section></section><p style=margin-top:1.3em;margin-bottom:1.3em;letter-spacing:.7px;white-space:normal;font-size:15px;line-height:inherit><span style=font-family:宋体,SimSun;font-size:17px>1、很久很久以前，Web基本上就是文档的浏览而已，既然是浏览，作为服务器，不需要记录谁在某一段时间里都浏览了什么文档，每次请求都是一个新的HTTP协议，就是请求加响应，尤其是我不用记住是谁刚刚发了HTTP请求，每个请求对我来说都是全新的。这段时间很嗨皮。</span><p style=margin-top:1.3em;margin-bottom:1.3em;letter-spacing:.7px;white-space:normal;font-size:15px;line-height:inherit><span style=font-family:宋体,SimSun;font-size:17px>2、但是随着交互式Web应用的兴起，像在线购物网站，需要登录的网站等等，马上就面临一个问题，那就是要管理会话，必须记住哪些人登录系统， 哪些人往自己的购物车中放商品， 也就是说我必须把每个人区分开，这就是一个不小的挑战，因为HTTP请求是无状态的，所以想出的办法就是给大家发一个会话标识(session id), 说白了就是一个随机的字串，每个人收到的都不一样， 每次大家向我发起HTTP请求的时候，把这个字符串给一并捎过来， 这样我就能区分开谁是谁了</span><p style=margin-top:1.3em;margin-bottom:1.3em;letter-spacing:.7px;white-space:normal;font-size:15px;line-height:inherit><span style=font-family:宋体,SimSun;font-size:17px>3、这样大家很嗨皮了，可是服务器就不嗨皮了，每个人只需要保存自己的session&nbsp;id，而服务器要保存所有人的session id！如果访问服务器多了，就得由成千上万，甚至几十万个。</span><p style=margin-top:1.3em;margin-bottom:1.3em;letter-spacing:.7px;white-space:normal;font-size:15px;line-height:inherit><span style=font-family:宋体,SimSun;font-size:17px>这对服务器说是一个巨大的开销，严重的限制了服务器扩展能力，比如说我用两个机器组成了一个集群，小F通过机器A登录了系统，那session&nbsp;id会保存在机器A上，假设小F的下一次请求被转发到机器B怎么办？机器B可没有小F的session&nbsp;id啊。</span><p style=margin-top:1.3em;margin-bottom:1.3em;letter-spacing:.7px;white-space:normal;font-size:15px;line-height:inherit><span style=font-family:宋体,SimSun;font-size:17px>有时候会采用一点小伎俩：<strong>session&nbsp;sticky</strong>，就是让小F的请求一直粘连在机器A上，但是这也不管用，要是机器A挂掉了，还得转到机器B去。</span><p style=margin-top:1.3em;margin-bottom:1.3em;letter-spacing:.7px;white-space:normal;font-size:15px;line-height:inherit><span style=font-family:宋体,SimSun;font-size:17px>那只好做session的复制了，把session&nbsp;id在两个机器之间搬来搬去，快累死了。</span><p style=margin-top:1.3em;margin-bottom:1.3em;letter-spacing:.7px;white-space:normal;font-size:15px;line-height:inherit><img data-ratio=0.6411378555798687 data-src="https://mmbiz.qpic.cn/mmbiz_png/M7B64fHXIStBdq1psdgIhwEiaMZ8yNwich5FjxyYCmv6W47ibUq55UjG9ySeCI2UjweFP7zl8EdMcz5OgJzjUDEfw/640?wx_fmt=png" data-type=png data-w=457 _width=457px src="" style="width:457px !important;height:auto !important;visibility:visible !important" crossorigin=anonymous data-fail=0><p style=margin-top:1.3em;margin-bottom:1.3em;letter-spacing:.7px;white-space:normal;font-size:15px;line-height:inherit><span style=font-family:宋体,SimSun;font-size:17px>后来有个叫Memcached的支了招：把session&nbsp;id集中存储到一个地方，所有的机器都来访问这个地方的数据，这样一来，就不用复制了，但是增加了单点失败的可能性，要是那个负责session&nbsp;的机器挂了，所有人都得重新登录一遍，估计得被人骂死。</span><p style=margin-top:1.3em;margin-bottom:1.3em;letter-spacing:.7px;white-space:normal;font-size:15px;line-height:inherit><img data-ratio=0.8271334792122538 data-src="https://mmbiz.qpic.cn/mmbiz_png/M7B64fHXIStBdq1psdgIhwEiaMZ8yNwichbZpoUCHqLibE5Ss9M5Jjfo51bmR0fY34SVdnb0fXNQQaibTtcvLupElQ/640?wx_fmt=png" data-type=png data-w=457 _width=457px src="" style="width:457px !important;height:auto !important;visibility:visible !important" crossorigin=anonymous data-fail=0><p style=margin-top:1.3em;margin-bottom:1.3em;letter-spacing:.7px;white-space:normal;font-size:15px;line-height:inherit><span style=font-family:宋体,SimSun;font-size:17px>也尝试把这个单点的机器也搞出集群，增加可靠性，但不管如何，这小小的session 对我来说是一个沉重的负担。</span><p style=margin-top:1.3em;margin-bottom:1.3em;letter-spacing:.7px;white-space:normal;font-size:15px;line-height:inherit><span style=font-family:宋体,SimSun;font-size:17px>4、于是有人就一直在思考，我为什么要保存这可恶的session呢，只让每个客户端去保存该多好？</span><p style=margin-top:1.3em;margin-bottom:1.3em;letter-spacing:.7px;white-space:normal;font-size:15px;line-height:inherit><span style=font-family:宋体,SimSun;font-size:17px>可是<strong>如</strong><strong>果不保存这些session&nbsp;id,怎么验证客户端发给我的session&nbsp;id的确是我生成的呢？</strong>如果不去验证，我们都不知道他们是不是合法登录的用户，那些不怀好意的家伙们就可以伪造session&nbsp;id,为所欲为了。</span><p style=margin-top:1.3em;margin-bottom:1.3em;letter-spacing:.7px;white-space:normal;font-size:15px;line-height:inherit><span style=font-family:宋体,SimSun;font-size:17px>嗯，对了，关键点就是验证&nbsp;！</span><p style=margin-top:1.3em;margin-bottom:1.3em;letter-spacing:.7px;white-space:normal;font-size:15px;line-height:inherit><span style=font-family:宋体,SimSun;font-size:17px>比如说，小F已经登录了系统，我给他发一个令牌(token)，里边包含了小F的&nbsp;user&nbsp;id，下一次小F再次通过Http请求访问我的时候，把这个token通过Http&nbsp;header带过来不就可以了。</span><p style=margin-top:1.3em;margin-bottom:1.3em;letter-spacing:.7px;white-space:normal;font-size:15px;line-height:inherit><span style=font-family:宋体,SimSun;font-size:17px>不过这和session&nbsp;id没有本质区别啊，任何人都可以可以伪造，所以我得想点儿办法，让别人伪造不了。</span><p style=margin-top:1.3em;margin-bottom:1.3em;letter-spacing:.7px;white-space:normal;font-size:15px;line-height:inherit><span style=font-family:宋体,SimSun;font-size:17px>那就对数据做一个签名吧，比如说我用HMAC-SHA256&nbsp;算法，加上一个只有我才知道的密钥，对数据做一个签名，把这个签名和数据一起作为token，由于密钥别人不知道，就无法伪造token了。</span><p style=margin-top:1.3em;margin-bottom:1.3em;letter-spacing:.7px;white-space:normal;font-size:15px;line-height:inherit><img data-ratio=1.033033033033033 data-src="https://mmbiz.qpic.cn/mmbiz_png/M7B64fHXIStBdq1psdgIhwEiaMZ8yNwichN81fmAW8CeBxdemFRYJREhljsAMOTxVQWPhLl6IwV1vHNMz4ofoBnw/640?wx_fmt=png" data-type=png data-w=333 _width=333px src= style="width:333px !important;height:auto !important;visibility:visible !important" crossorigin=anonymous data-fail=0><p style=margin-top:1.3em;margin-bottom:1.3em;letter-spacing:.7px;white-space:normal;font-size:15px;line-height:inherit><span style=font-family:宋体,SimSun;font-size:17px>这个token我不保存，当小F把这个token给我发过来的时候，我再用同样的HMAC-SHA256算法和同样的密钥，对数据再计算一次签名，和token中的签名做个比较，如果相同，我就知道小F已经登录过了，并且可以直接取到小F的user&nbsp;id,如果不相同，数据部分肯定被人篡改过，我就告诉发送者：对不起，没有认证。</span><p style=margin-top:1.3em;margin-bottom:1.3em;letter-spacing:.7px;white-space:normal;font-size:15px;line-height:inherit><img data-ratio=0.8132387706855791 data-src="https://mmbiz.qpic.cn/mmbiz_png/M7B64fHXIStBdq1psdgIhwEiaMZ8yNwichU1DHBOCgr239biafI888awZ13fQ4f11oEL3WyCYNkia7cIrDwR0vTEvA/640?wx_fmt=png" data-type=png data-w=423 _width=423px src= style="width:423px !important;height:auto !important;visibility:visible !important" crossorigin=anonymous data-fail=0><p style=margin-top:1.3em;margin-bottom:1.3em;letter-spacing:.7px;white-space:normal;font-size:15px;line-height:inherit><span style=font-family:宋体,SimSun;font-size:17px>Token中的数据是明文保存的（虽然我会用Base64做下编码，&nbsp;但那不是加密），还是可以被别人看到的，所以我不能在其中保存像密码这样的敏感信息。</span><p style=margin-top:1.3em;margin-bottom:1.3em;letter-spacing:.7px;white-space:normal;font-size:15px;line-height:inherit><span style=font-family:宋体,SimSun;font-size:17px>当然，如果一个人的token被别人偷走了，那我也没办法，我也会认为小偷就是合法用户，这其实和一个人的session&nbsp;id被别人偷走是一样的。</span><p style=margin-top:1.3em;margin-bottom:1.3em;letter-spacing:.7px;white-space:normal;font-size:15px;line-height:inherit><span style=font-family:宋体,SimSun;font-size:17px>这样一来，我就不保存session&nbsp;id了，我只是生成token,然后验证token，我用我的CPU计算时间获取了session</span><a href="http://mp.weixin.qq.com/s?__biz=MzU2MTI4MjI0MQ==&amp;mid=2247483968&amp;idx=1&amp;sn=8f516e2f35cd658e9b5eafc395b4d629&amp;chksm=fc7a6feecb0de6f8fd99417c0d4098d26ec9b00346c94a5e438525fc5a9f05441c42be7815cb&amp;scene=21#wechat_redirect" target=_blank style=text-decoration:underline;font-family:宋体,SimSun;font-size:17px data-linktype=2></a><span style=font-family:宋体,SimSun;font-size:17px>&nbsp;存储空间&nbsp;！</span><p style=margin-top:1.3em;margin-bottom:1.3em;letter-spacing:.7px;white-space:normal;font-size:15px;line-height:inherit><span style=font-family:宋体,SimSun;font-size:17px>解除了session&nbsp;id这个负担，&nbsp;可以说是无事一身轻，&nbsp;我的机器集群现在可以轻松地做水平扩展，&nbsp;用户访问量增大，&nbsp;直接加机器就行。&nbsp;这种无状态的感觉实在是太好了！</span><section style=white-space:normal;border-width:0;border-style:initial;border-color:initial><section style="margin-right:auto;margin-bottom:10px;margin-left:auto;border-bottom:1px solid #dddddd"><section style="margin-bottom:-1px;padding-right:5px;padding-bottom:6px;padding-left:5px;clear:both;border-bottom:2px solid #ef7060;display:inline-block;line-height:1.1"><p style=color:#000000;font-size:15px><strong><span style=font-size:20px;font-family:宋体,SimSun>Cookie</span></strong></p></section></section></section><p style=margin-top:1.3em;margin-bottom:1.3em;letter-spacing:.7px;white-space:normal;font-size:15px;line-height:inherit><span style=font-family:宋体,SimSun;font-size:17px>cookie&nbsp;是一个非常具体的东西，指的就是浏览器里面能永久存储的一种数据，仅仅是浏览器实现的一种数据存储功能。</span><p style=margin-top:1.3em;margin-bottom:1.3em;letter-spacing:.7px;white-space:normal;font-size:15px;line-height:inherit><span style=font-family:宋体,SimSun;font-size:17px>cookie由服务器生成，发送给浏览器，浏览器把cookie以kv形式保存到某个目录下的文本文件内，下一次请求同一网站时会把该cookie发送给服务器。由于cookie是存在客户端上的，所以浏览器加入了一些限制确保cookie不会被恶意使用，同时不会占据太多磁盘空间，所以每个域的cookie数量是有限的。</span><section style=white-space:normal;border-width:0;border-style:initial;border-color:initial><section style="margin-right:auto;margin-bottom:10px;margin-left:auto;border-bottom:1px solid #dddddd"><section style="margin-bottom:-1px;padding-right:5px;padding-bottom:6px;padding-left:5px;clear:both;border-bottom:2px solid #ef7060;display:inline-block;line-height:1.1"><p style=color:#000000;font-size:15px><strong><span style=font-size:20px;font-family:宋体,SimSun>Session</span></strong></p></section></section></section><p style=margin-top:1.3em;margin-bottom:1.3em;letter-spacing:.7px;white-space:normal;font-size:15px;line-height:inherit><span style=font-family:宋体,SimSun;font-size:17px>session&nbsp;从字面上讲，就是会话。这个就类似于你和一个人交谈，你怎么知道当前和你交谈的是张三而不是李四呢？对方肯定有某种特征（长相等）表明他就是张三。</span><p style=margin-top:1.3em;margin-bottom:1.3em;letter-spacing:.7px;white-space:normal;font-size:15px;line-height:inherit><span style=font-family:宋体,SimSun;font-size:17px>session&nbsp;也是类似的道理，服务器要知道当前发请求给自己的是谁。为了做这种区分，服务器就要给每个客户端分配不同的“身份标识”，然后客户端每次向服务器发请求的时候，都带上这个“身份标识”，服务器就知道这个请求来自于谁了。至于客户端怎么保存这个“身份标识”，可以有很多种方式，对于浏览器客户端，大家都默认采用&nbsp;cookie&nbsp;的方式。</span><p style=margin-top:1.3em;margin-bottom:1.3em;letter-spacing:.7px;white-space:normal;font-size:15px;line-height:inherit><span style=font-family:宋体,SimSun;font-size:17px>服务器使用session把用户的信息临时保存在了服务器上，用户离开网站后session会被销毁。这种用户信息存储方式相对cookie来说更安全，可是session有一个缺陷：如果web服务器做了负载均衡，那么下一个操作请求到了另一台服务器的时候session会丢失。</span><section style=white-space:normal;border-width:0;border-style:initial;border-color:initial><section style="margin-right:auto;margin-bottom:10px;margin-left:auto;border-bottom:1px solid #dddddd"><section style="margin-bottom:-1px;padding-right:5px;padding-bottom:6px;padding-left:5px;clear:both;border-bottom:2px solid #ef7060;display:inline-block;line-height:1.1"><p style=color:#000000;font-size:15px><strong><span style=font-size:20px;font-family:宋体,SimSun>Token</span></strong></p></section></section></section><p style=margin-top:1.3em;margin-bottom:1.3em;letter-spacing:.7px;white-space:normal;font-size:15px;line-height:inherit><span style=font-family:宋体,SimSun;font-size:17px>在Web领域基于Token的身份验证随处可见。在大多数使用Web&nbsp;API的互联网公司中，tokens是多用户下处理认证的最佳方式。</span><p style=margin-top:1.3em;margin-bottom:1.3em;letter-spacing:.7px;white-space:normal;font-size:15px;line-height:inherit><span style=font-family:宋体,SimSun;font-size:17px>以下几点特性会让你在程序中使用基于Token的身份验证</span><ol class=list-paddingleft-2><li><p style=margin-top:5px;margin-bottom:5px><span style=color:inherit;line-height:inherit;font-family:宋体,SimSun;font-size:17px>无状态、可扩展</span></p><li><p style=margin-top:5px;margin-bottom:5px><span style=color:inherit;line-height:inherit;font-family:宋体,SimSun;font-size:17px>支持移动设备</span></p><li><p style=margin-top:5px;margin-bottom:5px><span style=color:inherit;line-height:inherit;font-family:宋体,SimSun;font-size:17px>跨程序调用</span></p><li><p style=margin-top:5px;margin-bottom:5px><span style=color:inherit;line-height:inherit;font-family:宋体,SimSun;font-size:17px>安全</span></p></ol><p style=margin-top:1.3em;margin-bottom:1.3em;letter-spacing:.7px;white-space:normal;font-size:15px;line-height:inherit><span style=font-family:宋体,SimSun;font-size:17px>那些使用基于Token的身份验证的大佬们</span><p style=margin-top:1.3em;margin-bottom:1.3em;letter-spacing:.7px;white-space:normal;font-size:15px;line-height:inherit><span style=font-family:宋体,SimSun;font-size:17px>大部分你见到过的API和Web应用都使用tokens。例如Facebook,Twitter,Google+,GitHub等。</span><section style=white-space:normal;border-width:0;border-style:initial;border-color:initial><section style="margin-right:auto;margin-bottom:10px;margin-left:auto;border-bottom:1px solid #dddddd"><section style="margin-bottom:-1px;padding-right:5px;padding-bottom:6px;padding-left:5px;clear:both;border-bottom:2px solid #ef7060;display:inline-block;line-height:1.1"><p style=color:#000000;font-size:15px><strong><span style=font-size:20px;font-family:宋体,SimSun>Token的起源</span></strong></p></section></section></section><p style=margin-top:1.3em;margin-bottom:1.3em;letter-spacing:.7px;white-space:normal;font-size:15px;line-height:inherit><span style=font-family:宋体,SimSun;font-size:17px>在介绍</span><span style=font-family:宋体,SimSun;font-size:17px>基于Token的身份验证的原</span><span style=font-family:宋体,SimSun;font-size:17px>理与优势之前，不妨先看看之前的认证都是怎么做的。</span><h4 style='letter-spacing:.7px;white-space:normal;margin-top:1.3em;margin-bottom:1.3em;font-size:15px;color:#159957;line-height:inherit;font-family:"Helvetica Neue",Helvetica,"Hiragino Sans GB","Microsoft YaHei",Arial,sans-serif;font-weight:bold'><span style=line-height:inherit;font-family:宋体,SimSun;font-size:17px;color:#c0504d>基于服务器的验证</span></h4><p style=margin-top:1.3em;margin-bottom:1.3em;letter-spacing:.7px;white-space:normal;font-size:15px;line-height:inherit><span style=font-family:宋体,SimSun;font-size:17px>我们都是知道HTTP协议是无状态的，这种无状态意味着程序需要验证每一次请求，从而辨别客户端的身份。</span><p style=margin-top:1.3em;margin-bottom:1.3em;letter-spacing:.7px;white-space:normal;font-size:15px;line-height:inherit><span style=font-family:宋体,SimSun;font-size:17px>在这之前，程序都是通过在服务端存储的登录信息来辨别请求的。这种方式一般都是通过存储Session来完成。</span><p style=margin-top:1.3em;margin-bottom:1.3em;letter-spacing:.7px;white-space:normal;font-size:15px;line-height:inherit><span style=font-family:宋体,SimSun;font-size:17px>随着Web，应用程序，已经移动端的兴起，这种验证的方式逐渐暴露出了问题。尤其是在可扩展性方面。</span><h4 style='letter-spacing:.7px;white-space:normal;margin-top:1.3em;margin-bottom:1.3em;font-size:15px;color:#159957;line-height:inherit;font-family:"Helvetica Neue",Helvetica,"Hiragino Sans GB","Microsoft YaHei",Arial,sans-serif;font-weight:bold'><span style=line-height:inherit;font-family:宋体,SimSun;font-size:17px;color:#c0504d>基于服务器验证方式暴露的一些问题</span></h4><ol class=list-paddingleft-2><li><p style=margin-top:5px;margin-bottom:5px><span style=font-family:宋体,SimSun;font-size:17px><strong><span style=color:inherit;line-height:inherit;font-size:15px>Seesion：</span></strong><span style=color:inherit;line-height:inherit;font-size:15px>每次认证用户发起请求时，服务器需要去创建一个记录来存储信息。当越来越多的用户发请求时，内存的开销也会不断增加。</span></span></p><li><p style=margin-top:5px;margin-bottom:5px><span style=font-family:宋体,SimSun;font-size:17px><strong><span style=color:inherit;line-height:inherit;font-size:15px>可扩展性：</span></strong><span style=color:inherit;line-height:inherit;font-size:15px>在服务端的内存中使用Seesion存储登录信息，伴随而来的是可扩展性问题。</span></span></p><li><p style=margin-top:5px;margin-bottom:5px><span style=font-family:宋体,SimSun;font-size:17px><strong><span style=color:inherit;line-height:inherit;font-size:15px>CORS(跨域资源共享)：</span></strong><span style=color:inherit;line-height:inherit;font-size:15px>当我们需要让数据跨多台移动设备上使用时，跨域资源的共享会是一个让人头疼的问题。在使用Ajax抓取另一个域的资源，就可以会出现禁止请求的情况。</span></span></p><li><p style=margin-top:5px;margin-bottom:5px><span style=font-family:宋体,SimSun;font-size:17px><strong><span style=color:inherit;line-height:inherit;font-size:15px>CSRF(跨站请求伪造)：</span></strong><span style=color:inherit;line-height:inherit;font-size:15px>用户在访问银行网站时，他们很容易受到跨站请求伪造的攻击，并且能够被利用其访问其他的网站。</span></span></p></ol><p style=margin-top:1.3em;margin-bottom:1.3em;letter-spacing:.7px;white-space:normal;font-size:15px;line-height:inherit><span style=font-family:宋体,SimSun;font-size:17px>在这些问题中，可扩展行是最突出的。因此我们有必要去寻求一种更有行之有效的方法。</span><h4 style='letter-spacing:.7px;white-space:normal;margin-top:1.3em;margin-bottom:1.3em;font-size:15px;color:#159957;line-height:inherit;font-family:"Helvetica Neue",Helvetica,"Hiragino Sans GB","Microsoft YaHei",Arial,sans-serif;font-weight:bold'><span style=line-height:inherit;font-family:宋体,SimSun;font-size:17px;color:#c0504d>基于Token的验证原理</span></h4><p style=margin-top:1.3em;margin-bottom:1.3em;letter-spacing:.7px;white-space:normal;font-size:15px;line-height:inherit><span style=font-family:宋体,SimSun;font-size:17px>基于Token的身份验证是无状态的，我们不将用户信息存在服务器或Session中。</span><p style=margin-top:1.3em;margin-bottom:1.3em;letter-spacing:.7px;white-space:normal;font-size:15px;line-height:inherit><span style=font-family:宋体,SimSun;font-size:17px>这种概念解决了在服务端存储信息时的许多问题</span><blockquote style='letter-spacing:.7px;white-space:normal;padding:10px 15px 10px 1rem;border-left-width:6px;border-left-color:#dce6f0;font-size:.8em;line-height:inherit;background:#f2f7fb;overflow:auto;word-break:normal;font-family:"Helvetica Neue",Helvetica,"Hiragino Sans GB","Microsoft YaHei",Arial,sans-serif'><p style=margin-top:5px;margin-bottom:5px;font-size:inherit;color:inherit;line-height:inherit><span style=font-family:宋体,SimSun;font-size:17px>NoSession意味着你的程序可以根据需要去增减机器，而不用去担心用户是否登录。</span></p></blockquote><p style=margin-top:1.3em;margin-bottom:1.3em;letter-spacing:.7px;white-space:normal;font-size:15px;line-height:inherit><span style=font-family:宋体,SimSun;font-size:17px>基于Token的身份验证的过程如下:</span><ol class=list-paddingleft-2><li><p style=margin-top:5px;margin-bottom:5px><span style=color:inherit;line-height:inherit;font-family:宋体,SimSun;font-size:17px>用户通过用户名和密码发送请求。</span></p><li><p style=margin-top:5px;margin-bottom:5px><span style=color:inherit;line-height:inherit;font-family:宋体,SimSun;font-size:17px>程序验证。</span></p><li><p style=margin-top:5px;margin-bottom:5px><span style=color:inherit;line-height:inherit;font-family:宋体,SimSun;font-size:17px>程序返回一个签名的token&nbsp;给客户端。</span></p><li><p style=margin-top:5px;margin-bottom:5px><span style=color:inherit;line-height:inherit;font-family:宋体,SimSun;font-size:17px>客户端储存token,并且每次用于每次发送请求。</span></p><li><p style=margin-top:5px;margin-bottom:5px><span style=color:inherit;line-height:inherit;font-family:宋体,SimSun;font-size:17px>服务端验证token并返回数据。</span></p></ol><p style=margin-top:1.3em;margin-bottom:1.3em;letter-spacing:.7px;white-space:normal;font-size:15px;line-height:inherit><span style=font-family:宋体,SimSun;font-size:17px>每一次请求都需要token。token应该在HTTP的头部发送从而保证了Http请求无状态。我们同样通过设置服务器属性Access-Control-Allow-Origin:*&nbsp;，让服务器能接受到来自所有域的请求。</span><p style=margin-top:1.3em;margin-bottom:1.3em;letter-spacing:.7px;white-space:normal;font-size:15px;line-height:inherit><span style=font-family:宋体,SimSun;font-size:17px>需要主要的是，在ACAO头部标明(designating)*时，不得带有像HTTP认证，客户端SSL证书和cookies的证书。<br></span><p style=margin-top:1.3em;margin-bottom:1.3em;letter-spacing:.7px;white-space:normal;font-size:15px;line-height:inherit><span style=font-family:宋体,SimSun;font-size:17px>实现思路：</span><p style=margin-top:1.3em;margin-bottom:1.3em;letter-spacing:.7px;white-space:normal;font-size:15px;line-height:inherit><img data-ratio=0.8184663536776213 data-src="https://mmbiz.qpic.cn/mmbiz_png/M7B64fHXIStBdq1psdgIhwEiaMZ8yNwichpQfnMIwwx92UYObLVkdibicniaZwGLJgjJI5HGUTj9OuCR04tTDeC6MQQ/640?wx_fmt=png" data-type=png data-w=639 _width=639px src="" style="width:639px !important;height:auto !important;visibility:visible !important" crossorigin=anonymous data-fail=0><ol class=list-paddingleft-2><li><p style=margin-top:5px;margin-bottom:5px><span style=color:inherit;line-height:inherit;font-family:宋体,SimSun;font-size:17px>用户登录校验，校验成功后就返回Token给客户端。</span></p><li><p style=margin-top:5px;margin-bottom:5px><span style=color:inherit;line-height:inherit;font-family:宋体,SimSun;font-size:17px>客户端收到数据后保存在客户端</span></p><li><p style=margin-top:5px;margin-bottom:5px><span style=color:inherit;line-height:inherit;font-family:宋体,SimSun;font-size:17px>客户端每次访问API是携带Token到服务器端。</span></p><li><p style=margin-top:5px;margin-bottom:5px><span style=color:inherit;line-height:inherit;font-family:宋体,SimSun;font-size:17px>服务器端采用filter过滤器校验。校验成功则返回请求数据，校验失败则返回错误码</span></p></ol><p style=margin-top:1.3em;margin-bottom:1.3em;letter-spacing:.7px;white-space:normal;font-size:15px;line-height:inherit><span style=font-family:宋体,SimSun;font-size:17px>当我们在程序中认证了信息并取得token之后，我们便能通过这个Token做许多的事情。</span><p style=margin-top:1.3em;margin-bottom:1.3em;letter-spacing:.7px;white-space:normal;font-size:15px;line-height:inherit><span style=font-family:宋体,SimSun;font-size:17px>我们甚至能基于创建一个基于权限的token传给第三方应用程序，这些第三方程序能够获取到我们的数据（当然只有在我们允许的特定的token）</span><section style=white-space:normal;border-width:0;border-style:initial;border-color:initial><section style="margin-right:auto;margin-bottom:10px;margin-left:auto;border-bottom:1px solid #dddddd"><section style="margin-bottom:-1px;padding-right:5px;padding-bottom:6px;padding-left:5px;clear:both;border-bottom:2px solid #ef7060;display:inline-block;line-height:1.1"><p style=color:#000000;font-size:15px><strong><span style=font-size:20px;font-family:宋体,SimSun>Tokens的优势</span></strong></p></section></section></section><h3 style='letter-spacing:.7px;white-space:normal;margin-top:1.3em;margin-bottom:1.3em;font-size:1.1em;color:#159957;line-height:inherit;font-family:"Helvetica Neue",Helvetica,"Hiragino Sans GB","Microsoft YaHei",Arial,sans-serif;font-weight:bold'><span style=color:#7b0c00;font-family:宋体,SimSun;font-size:17px><strong>无状态、可扩展</strong></span><br></h3><p style=margin-top:1.3em;margin-bottom:1.3em;letter-spacing:.7px;white-space:normal;font-size:15px;line-height:inherit><span style=font-family:宋体,SimSun;font-size:17px>在客户端存储的Tokens是无状态的，并且能够被扩展。基于这种无状态和不存储Session信息，负载负载均衡器能够将用户信息从一个服务传到其他服务器上。</span><p style=margin-top:1.3em;margin-bottom:1.3em;letter-spacing:.7px;white-space:normal;font-size:15px;line-height:inherit><span style=font-family:宋体,SimSun;font-size:17px>如果我们将已验证的用户的信息保存在Session中，则每次请求都需要用户向已验证的服务器发送验证信息(称为Session亲和性)。用户量大时，可能会造成一些拥堵。</span><p style=margin-top:1.3em;margin-bottom:1.3em;letter-spacing:.7px;white-space:normal;font-size:15px;line-height:inherit><span style=font-family:宋体,SimSun;font-size:17px>但是不要着急。使用tokens之后这些问题都迎刃而解，因为tokens自己hold住了用户的验证信息。</span><p style=margin-top:1.3em;margin-bottom:1.3em;letter-spacing:.7px;white-space:normal;font-size:15px;line-height:inherit><span style=color:#7b0c00;font-family:宋体,SimSun;font-size:17px><strong>安全性</strong></span><p style=margin-top:1.3em;margin-bottom:1.3em;letter-spacing:.7px;white-space:normal;font-size:15px;line-height:inherit><span style=font-family:宋体,SimSun;font-size:17px>请求中发送token而不再是发送cookie能够防止CSRF(跨站请求伪造)。即使在客户端使用cookie存储token，cookie也仅仅是一个存储机制而不是用于认证。不将信息存储在Session中，让我们少了对session操作。</span><p style=margin-top:1.3em;margin-bottom:1.3em;letter-spacing:.7px;white-space:normal;font-size:15px;line-height:inherit><span style=font-family:宋体,SimSun;font-size:17px>token是有时效的，一段时间之后用户需要重新验证。我们也不一定需要等到token自动失效，token有撤回的操作，通过token&nbsp;revocataion可以使一个特定的token或是一组有相同认证的token无效。</span><p style=margin-top:1.3em;margin-bottom:1.3em;letter-spacing:.7px;white-space:normal;font-size:15px;line-height:inherit><span style=color:#7b0c00;font-family:宋体,SimSun;font-size:17px><strong>可扩展性</strong></span><p style=margin-top:1.3em;margin-bottom:1.3em;letter-spacing:.7px;white-space:normal;font-size:15px;line-height:inherit><span style=font-family:宋体,SimSun;font-size:17px>Tokens能够创建与其它程序共享权限的程序。例如，能将一个随便的社交帐号和自己的大号(Fackbook或是Twitter)联系起来。当通过服务登录Twitter(我们将这个过程Buffer)时，我们可以将这些Buffer附到Twitter的数据流上(we&nbsp;are&nbsp;allowing&nbsp;Buffer&nbsp;to&nbsp;post&nbsp;to&nbsp;our&nbsp;Twitter&nbsp;stream)。</span><p style=margin-top:1.3em;margin-bottom:1.3em;letter-spacing:.7px;white-space:normal;font-size:15px;line-height:inherit><span style=font-family:宋体,SimSun;font-size:17px>使用tokens时，可以提供可选的权限给第三方应用程序。当用户想让另一个应用程序访问它们的数据，我们可以通过建立自己的API，得出特殊权限的tokens。</span><p style=margin-top:1.3em;margin-bottom:1.3em;letter-spacing:.7px;white-space:normal;font-size:15px;line-height:inherit><span style=color:#7b0c00;font-family:宋体,SimSun;font-size:17px><strong>多平台跨域</strong></span><p style=margin-top:1.3em;margin-bottom:1.3em;letter-spacing:.7px;white-space:normal;font-size:15px;line-height:inherit><span style=font-family:宋体,SimSun;font-size:17px>我们提前先来谈论一下CORS(跨域资源共享)，对应用程序和服务进行扩展的时候，需要介入各种各种的设备和应用程序。</span><blockquote style='letter-spacing:.7px;white-space:normal;padding:10px 15px 10px 1rem;border-left-width:6px;border-left-color:#dce6f0;font-size:.8em;line-height:inherit;background:#f2f7fb;overflow:auto;word-break:normal;font-family:"Helvetica Neue",Helvetica,"Hiragino Sans GB","Microsoft YaHei",Arial,sans-serif'><p style=margin-top:5px;margin-bottom:5px;font-size:inherit;color:inherit;line-height:inherit><span style=font-family:宋体,SimSun;font-size:17px>Having our API just serve data, we can also make the design choice to serve assets from a CDN. This eliminates the issues that CORS brings up after we set a quick header configuration for our application.</span></p></blockquote><p style=margin-top:1.3em;margin-bottom:1.3em;letter-spacing:.7px;white-space:normal;font-size:15px;line-height:inherit><span style=font-family:宋体,SimSun;font-size:17px>只要用户有一个通过了验证的token，数据和资源就能够在任何域上被请求到。</span><pre style=background-color:#ffffff;letter-spacing:.7px;font-size:15px;line-height:inherit><code style="margin-right:2px;margin-left:2px;padding:.5em;font-size:12px;color:white;line-height:15px;border-radius:0;background:#333333;font-family:Consolas,Inconsolata,Courier,monospace;display:block;overflow-x:auto;word-spacing:-3px;letter-spacing:0;overflow-wrap:normal !important;word-break:normal !important;overflow-y:auto !important"><span style="font-family:宋体,SimSun;color:#ffffaa;line-height:inherit;font-size:17px;overflow-wrap:inherit !important;word-break:inherit !important">Access-Control-Allow-Origin:&nbsp;*&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br></span></code></pre><p style=margin-top:1.3em;margin-bottom:1.3em;letter-spacing:.7px;white-space:normal;font-size:15px;line-height:inherit><br><span style=font-family:宋体,SimSun;font-size:17px>基于标准创建token的时候，你可以设定一些选项。我们在后续的文章中会进行更加详尽的描述，但是标准的用法会在JSON&nbsp;Web&nbsp;Tokens体现。</span><p style=margin-top:1.3em;margin-bottom:1.3em;letter-spacing:.7px;white-space:normal;font-size:15px;line-height:inherit><span style=font-family:宋体,SimSun;font-size:17px>最近的程序和文档是供给JSON&nbsp;Web&nbsp;Tokens的。它支持众多的语言。这意味在未来的使用中你可以真正的转换你的认证机制。</span><p style=white-space:normal;letter-spacing:.544px;text-align:left;line-height:2em><strong><span style=font-size:15px;letter-spacing:1px;font-family:宋体,SimSun;color:#ab1942>【推荐阅读<strong style=letter-spacing:.544px><span style=letter-spacing:1px>】</span></strong></span></strong><p style=white-space:normal><a href="https://mp.weixin.qq.com/s?__biz=MzI3NjU2ODA5Mg==&amp;mid=2247484497&amp;idx=1&amp;sn=e0642cf98e3853eb3aaa825ce5e2096c&amp;scene=21#wechat_redirect" target=_blank data-linktype=2><span style=font-size:14px;color:#021eaa>[技术]：Java问题排查工具单</span></a><p style=white-space:normal><a href="https://mp.weixin.qq.com/s?__biz=MzI3NjU2ODA5Mg==&amp;mid=2247484510&amp;idx=2&amp;sn=48e45795f0ce0a0fafe42e9c4d8f73f4&amp;scene=21#wechat_redirect" target=_blank data-linktype=2><span style=font-size:14px;color:#021eaa>[职场]：华为员工年薪 200 万！真相让人心酸！</span></a><p style=white-space:normal><a href="https://mp.weixin.qq.com/s?__biz=MzI3NjU2ODA5Mg==&amp;mid=2247484497&amp;idx=2&amp;sn=338cb2ce7014e090f8e79a2516a64181&amp;scene=21#wechat_redirect" target=_blank data-linktype=2><span style=font-size:14px;color:#021eaa>[面试]：两年JAVA程序员的面试总结</span></a><p style=white-space:normal;text-align:center><br><p style=white-space:normal;text-align:center><span style=color:#021eaa><strong>推荐一个公众号<br></strong></span><p style=white-space:normal;letter-spacing:.544px;background-color:#ffffff;text-align:center><span style=color:#ab1942><strong><span style=font-size:14px;font-variant-numeric:normal;font-variant-east-asian:normal;letter-spacing:1.5px;line-height:25px;widows:1>码农技术圈，纯技术号，这里有BAT的大牛，定期分享优质技术文章，还有高薪内推职位。扫码关注领取经典JAVA书籍。</span></strong></span><p style=white-space:normal;text-align:center><img class=rich_pages data-ratio=1 data-s=300,640 data-src="https://mmbiz.qpic.cn/mmbiz_jpg/M7B64fHXISvP8XL03MZahspicQ8wF2LZuUYV3fvvLnY8qy9bTG31icpdvzHQ11ddzPaibznB5CTJlr4e0QPoCjJUg/640?wx_fmt=jpeg" data-type=jpeg data-w=258 style="width:259px !important;height:auto !important;visibility:visible !important" _width=259px src="" crossorigin=anonymous data-fail=0></p>
 </div>
 
 
 <div class=ct_mpda_wrp id=js_sponsor_ad_area style=display:none></div>
 
 <div class=read-more__area id=js_more_read_area style=display:none>
 
 </div>
 </div>
 
 <div class="article_modify_area tips_global_primary article_modify_area_primary">
 文章已于<span id=js_modify_time>2019-06-05</span>修改 </div>
 
 
 <ul id=js_hotspot_area class=article_extend_area></ul>
 
 
<div class=rich_media_tool id=js_toobar3>
 <div class=weui-flex>
 <div class=weui-flex__item>
 
 <div id=js_read_area3 class="media_tool_meta tips_global_primary meta_primary" style=display:none>
 <span id=readTxt>阅读</span>
 <span id=readNum3></span>
 </div>
 </div>
 <span style=display:none class="media_tool_meta meta_extra meta_praise" id=like_old>
 <i class=icon_praise_gray></i><span class=praise_num id=likeNum_old></span>
 </span>
 
 <span style=visibility:hidden class="media_tool_meta meta_extra meta_like" id=like3>
 <button class=like_btn id=js_like_btn> 
 <span id=js_like_wording> 在看</span><span class=like_num id=likeNum3></span>
 </button>
 </span>
 
 </div>
</div>
 
 <div class=like_comment_wrp id=js_like_comment style=display:none>
 <div class=like_comment_inner>
 
 
 </div>
 </div> 
 <div style=display:none id=wow_close_inform>
 <div class=weui-mask></div>
 <div class=weui-dialog>
 
 
 
 </div>
 </div>
<div id=js_like_toast style=display:none>
 <div class=weui-mask_transparent></div>
 <div class=weui-toast>
 
 
 </div>
</div>
<div style=display:none id=js_comment_panel>
 <div class="like_comment_primary_wrp editing" id=js_comment_wrp>
 
 </div> 
 <div class=like_comment_primary_mask id=js_mask_2></div>
</div>
<div id=js_loading style=display:none>
 <div class=weui-mask_transparent></div>
 <div class=weui-toast>
 
 
 </div>
</div>
 </div>
 </div>
 <div class="rich_media_area_primary sougou" id=sg_tj style=display:none></div>
 
 <div class=rich_media_area_extra>
 <div class=rich_media_area_extra_inner>
 
 <div id=js_share_appmsg>
 </div>
 
 
 <div class=mpda_bottom_container id=js_bottom_ad_area style=display:none></div>
 
 <div id=js_iframetest style=display:none></div>
 
 <div class="rich_media_extra rich_media_extra_discuss" id=js_cmt_container style=display:none>
 
 
 <div class=discuss_mod id=js_friend_cmt_area style=display:none>
 
 
 
 </div>
 <div class=discuss_mod id=js_cmt_area style=display:none>
 </div>
 </div>
 </div>
 </div>
 
 <div id=js_pc_qr_code class=qr_code_pc_outer style=display:block;>
 <div class=qr_code_pc_inner>
 <div class=qr_code_pc>
 <img id=js_pc_qr_code_img class=qr_code_pc_img src="">
 <p>微信扫一扫<br>关注该公众号</p>
 </div>
 </div>
 </div>
 </div>
</div>
<div id=js_pc_weapp_code class="weui-desktop-popover weui-desktop-popover_pos-up-center weui-desktop-popover_img-text" style=display:none>
 <div class=weui-desktop-popover__content>
 
 </div>
</div>
<div id=js_minipro_dialog style=display:none>
 <div class=weui-mask></div>
 <div class="weui-dialog weui-dialog_link">
 
 
 
 
 </div>
</div>
<div id=js_link_dialog style=display:none>
 <div class=weui-mask></div>
 <div class="weui-dialog weui-dialog_link">
 
 
 
 
 </div>
</div>
<div class=comment_primary_emotion_panel_wrp id=js_emotion_panel_pc style=display:none>
 <div class=comment_primary_emotion_panel>
 
 </div>
</div>
<div class=weui-dialog__wrp id=js_alert_panel style=display:none>
 <div class=weui-mask></div>
 <div class=weui-dialog>
 
 
 </div>
</div>
<div id=js_weapp_without_auth_dialog style=display:none>
 <div class=weui-mask></div>
 <div class="weui-dialog weui-dialog_link">
 
 
 </div>
</div>
 
 
 
 
 
 
